1. Field of the Invention
The present invention generally relates to the field of mobile communications. More particularly, the invention relates generally to systems and methods for enforcing security policies on mobile communications devices adapted to the use in mobile communications networks.
2. Description of the Related Art
Mobile communications terminals have increased in the years their data processing capabilities, in order to be able to support more and richer services in addition to enabling plain Inter-personal communications; from another hand, previous portable data processing devices like Personal Digital Assistants (PDAs) have been enhanced with wireless communications capabilities. As a consequence, many mobile communications terminals can nowadays be regarded as real data processing systems, like Personal Computers (PCs), and the trend is towards further increase of the processing power.
As an undesirable side effect, wireless communications devices, like any other data processing apparatus, have become targets for attacks perpetrated by computer viruses, trojan horses, worms and malware (acronym for “malicious software”) in general.
Malware may cause frauds, destruction or loss of data, unauthorized accesses, unavailability of services, violation of privacy, which translates in significant economic losses, both for the user of the mobile terminal and for the mobile communications network operator.
In order to reduce the risk of exposition to attacks of the mobile communications devices, methods and systems for enforcing specific security policies have been developed.
A security policy enforcement system is responsible of implementing and ensuring the enforcement of desired security policies on the mobile communications devices. The security policies are typically created by a security administrator, and include rules defining admissible behaviors useful for minimizing the possibility of threats to the security of the generic mobile device and of the data stored therein, as well as of the mobile network operator, and/or of an enterprise corporation employing or visited by users of the mobile devices.
Security policies may be defined by different actors according to the specific considered scenario. For instance, security policies may be defined by the end user of the mobile communications device in a consumer scenario, by a security administrator in respect of mobile communications devices of the employees in an enterprise/corporation scenario, by the mobile communications network operator, or by the manufacturer of the mobile communications device, and so on.
Typically, in an enterprise/corporation scenario, the security policies are implemented and administered in a centralized way, in order to set up a uniform and homogeneous security domain. US 2005/0055578 discloses a client/server architecture for managing and enforcing the security policies and for monitoring the status of mobile devices. In that document, the protection of data on a client mobile computing device by a server computer system such as within an enterprise network or on a separate mobile computing device is described. Security tools are described that provide different security policies to be enforced based on a location associated with a network environment in which a mobile device is operating. Methods for detecting the location of the mobile device are described. The security tools may also provide for enforcing different policies based on security features. Examples of security features include the type of connection, wired or wireless, over which data is being transferred, the operation of anti-virus software, or the type of network adapter card. The different security policies provide enforcement mechanisms that may be tailored based upon the detected location and/or active security features associated with the mobile device. Examples of enforcement mechanisms provided are adaptive port blocking, file hiding and file encryption.
WO 2005/064498 discloses a system and method for enforcing a security policy on mobile devices using dynamically generated security profiles. The system and method for enforcing security parameters collects information from a source relating to a mobile device. Based on the collected information, an identity status for the mobile device is determined that uniquely identifies the mobile device and distinguishes it from other mobile devices. The identity status of the mobile device can be determined when the mobile device connects to a computing node source or when the mobile device accesses a resource within the network. A security profile based on the identity status of the mobile device is generated and the security profile is applied to the mobile device.